The test recurses down the JS stack to find the bottom (catching this with an exception),
then tries to call a host function (document.write), switch writes new '<script>' code,
and expects this code to be run, then expects this code to try to call 'f();' again,
which it expects to fail, and it expects to catch that exception. However it is possible
that one of the earlier stages (the call to document.write, entering the interpreter to
run the new global code) will fail, depending on exactly how much stack space was free at
the point the last call to f() failed.

jit/JIT.h: Added data members and helper functions for recording
chained results. We record both a mapping from virtual to machine register
and the opcode for which the mapping is valid, to help ensure that the
mapping isn't used after the mapped register has been stomped by other
instructions.

rendering/RenderThemeSafari.cpp:
(WebCore::RenderTheme::themeForPage): Circumstances that lead to returning the RenderThemeWin
are the same under which we want to use the focus ring color from SafariTheme.
(WebCore::RenderThemeSafari::platformFocusRingColor): Renamed from focusRingColor

Delay updateing scroll bar of descendants of flexbox until their
positions are determined. In this way we can prevent descendants
of flexible boxes from changing positions of their scrollbars
using tentative positions.

Delay updateing scroll bar of descendants of flexbox until their
positions are determined. In this way we can prevent descendants
of flexible boxes from changing positions of their scrollbars
using tentative positions.

Input elements would go down this code path because it
would always get a null compositionNode from frame->editor().
Special casing compositionNodes is wrong because we explicitly
want unconfirmed IME input in the textarea's value (assuming we
want to match IE and Firefox here).

This change is originally created by Ojan Vafai <​ojan@chromium.org> and
I just changed its manual tests with an automated test on his behalf.

Input elements would go down this code path because it
would always get a null compositionNode from frame->editor().
Special casing compositionNodes is wrong because we explicitly
want unconfirmed IME input in the textarea's value (assuming we
want to match IE and Firefox here).

This change is originally created by Ojan Vafai <​ojan@chromium.org> and
I just changed its manual tests with an automated test on his behalf.

In TCMalloc_PageHeap::Delete(), the deleted span can be decommitted in
the process of merging with neighboring spans that are also decommitted.
The merged span needs to be placed in the list of returned spans (spans
whose memory has been returned to the system). Right now it's always added
to the list of the normal spans which can theoretically cause thrashing.

Re-added code removed by commit r40499.
Without this, both Qt and Mac were crashing while running the test.

Note that this does not entirely fix the bug. It fixes the WebCore
crash, but the test no longer seems to work due to loader changes.
So this patch does not reenable the test. The test probably has to
be rewritten.

dom/ContainerNode.cpp:
(WebCore::ContainerNode::removedFromDocument): Re-added code to
set the CSS target of the document to 0.

When one transition finishes slightly before another the longer
one will fire a second time. This is because the second
ImplicitAnmation object is culled too early, before its final
RenderStyle is in place. This is done by cleanupFinishedAnimations()
so I got rid of that method completely and now cleanup each
transition or animation at the point where I am setting the final
style, or when I detect that the transition or animation has been
terminated early (which happens when you remove it from the style).

page/animation/AnimationBase.cpp:
(WebCore::AnimationBase::getTimeToNextEvent):
Avoid a divide by zero if m_animation->duration() is zero, which can happen
if the duration is changed to zero while the animation is running.

When one transition finishes slightly before another the longer
one will fire a second time. This is because the second
ImplicitAnmation object is culled too early, before its final
RenderStyle is in place. This is done by cleanupFinishedAnimations()
so I got rid of that method completely and now cleanup each
transition or animation at the point where I am setting the final
style, or when I detect that the transition or animation has been
terminated early (which happens when you remove it from the style).

page/animation/AnimationBase.cpp:
(WebCore::AnimationBase::getTimeToNextEvent):
Avoid a divide by zero if m_animation->duration() is zero, which can happen
if the duration is changed to zero while the animation is running.

Fix run-time crashes in JavaScriptCore with the Metrowerks compiler on Symbian.

The Metrowerks compiler on the Symbian platform moves the globally
defined Hashtables into read-only memory, despite one of the members
being mutable. This causes crashes at run-time due to write access to
read-only memory.

Avoid the use of const with this compiler by introducing the
JSC_CONST_HASHTABLE macro.

Fix run-time crashes in JavaScriptCore with the Metrowerks compiler on Symbian.

The Metrowerks compiler on the Symbian platform moves the globally
defined Hashtables into read-only memory, despite one of the members
being mutable. This causes crashes at run-time due to write access to
read-only memory.

Avoid the use of const with this compiler by introducing the
JSC_CONST_HASHTABLE macro.

Based on idea by Norbert Leser.

bindings/scripts/CodeGeneratorJS.pm: Use JSC_CONST_HASHTABLE for hash tables
define in the bindings.

It is possible that WebKitWebSettings and other classes get
constructed before the WebKitWebView. In this case WebCore is
not yet properly initialized. Add webkit_init to every class
that can be constructed by API users.

WebView/WebHTMLView.mm:
(-[WebHTMLView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:]):
Perform layout if needed, even on Mac OS X versions that have
-viewWillDraw. This prevents attempts to draw without layout in case
-viewWillDraw was not called due to NSView issues or the client
did something during the display operation that re-invalidated the
layout.

js/field.js:
(hideEditableField): Updated to add click event listeners to the
alias and short description elements to make them easier to
edit. Renamed field_id parameter to field2_id (short
description id) and added a field1_id parameter (alias id).
(showEditableField): If a third parameter is passed in the
ContainerInputArray parameter, use it to find the element to
focus. Otherwise, fall back to the original behavior of
focusing the first input field.
(hideAliasAndSummary): Changed to pass the id for the alias
element to hideEditableField().

This test used time delay to see of terminated worker does not return
messages (terminated). In some test conditions, the current delay (500ms)
is too short and test fails. Move setting the delay to the end of initialization
and increase it 2x to make test more reliable.

RenderBlock and RenderInline have confusingly named object creation methods:
RenderBlock::createRootBox/createRootInlineBox
RenderInline::createFlowBox/createInlineFlowBox
where the 2nd method in both cases just calls the first and then appends the created object.
I therefore renamed those methods to something IMHO more informative:

DumpRenderTree/cairo/PixelDumpSupportCairo.h: Added.
Provide Cairo version of the BitmapContext structure so that
dumping routines can work on an abstract type.
(BitmapContext::createByAdoptingBitmapAndContext):
(BitmapContext::~BitmapContext):
(BitmapContext::cairoContext):
(BitmapContext::BitmapContext):

<rdar://problem/6978783>
Software-rendered plug-in does not update correctly when inside a hardware layer

Replace calls to setNeedsDisplay: and setNeedsDisplayInRect: with a call to the new method
invalidatePluginContentRect:. This new method will ask WebCore to do the repainting, taking
transforms into account.

Land new results from my change to make replaced elements no longer be overflow:hidden by
default. This affected plaintext dumping, which is clearly a bug in and of itself. For now
I am just updating the results and will file a followup bug about the fact that text dumping actually
does something different with overflow on replaced elements (when it clearly should not).

If the CSS white-space property is inhibiting line breaking, we might
find end-of-line characters rendered via the complex text path. Fonts
don't provide glyphs for these code points so, if we find one, we
simulate the space glyph being interposed in this case. Because the
input is variable-length per code point, we walk the input in step
with the output.

This is breaking Chromium's build because PopupMenuChromium inherits
from ScrollView, but these functions are pure virtual in it. I could
put it directly in PopupMenuChromium, but that seems a bit silly since
the functions are fairly generic.

WebCoreSupport/WebViewFactory.mm:
(-[WebViewFactory mediaElementLoadingStateText]):
(-[WebViewFactory mediaElementLiveBroadcastStateText]):
Changed the localization comments to match the comments in the Windows
version of this file, to avoid warnings about different comments for
the same localized string.

Fix for bug 22119, clicks in the scrollbars of transformed content don't work. Add new
conversion methods for going across parent/child widget boundaries that can be implemented
by the FrameView and ScrollbarClient to be transform-aware.

fix <rdar://problem/6933052> SPOD playing video in a div with a box
shadow

Test: fast/box-shadow/transform-fringing.html

rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::paintBoxShadow): Clip out the
box even if it has an opaque background, but in that case, inset the
clip path by 1 pixel, to avoid antialiasing artifacts.
Do not inset the clip rect by 1 pixel if the CTM is purely a
translation.
Move the shadow-casting path away in the non-rounded-rect case (it
was already being done in the rounded-rect case), to avoid a black
fringe when the CTM is not purely a translation.

LayoutTests:

Reviewed by Dave Hyatt and Simon Fraser.

test for part of <rdar://problem/6933052> SPOD playing video in a div
with a box shadow